When using Terraform the output from terraform plan can be used to help understand the impact your infrastructure changes. Terraform has terraform graph to help visualise these changes however when dealing with large or complex infrastructures this can quickly become difficult to navigate. Because of this several visualisation tools have emerged both open source and enterprise.
Rover is an example of a open source tool that enables users to visualise their Terraform plan. Rover is a interactive Terraform Plan visualiser that helps users explore their state and configuration. Rover is open source and runs locally on your machine. This means that your Terraform state stays local and isn't sent to a remote server for processing. In addition, Rover uses the plan file to generate the state. So in addition to visualising the current infrastructure state, you're able to view any changes to the resources (creation, modification, or deletion).
Rover does this by:
The quickest way to get up and running with Rover is by using Docker.
Run the following command in any Terraform workspace to generate a visualisation. This command copies all the files in your current directory to the Rover container and exposes port :9000
Once Rover is running on localhost:9000, navigate to it in a browser to find the visualisation.
From here you can then explore the visualisation of your terraform plan output. The legend on the left hand side shows you the different categorisations of resources and other items. With rover you are able to export the generated graph as .SVG file.
Overmind is a SaaS Terraform impact analysis tool. It acts as a second pair of eyes, taking the output of Terraform plan to tell you along with the current state of your infrastructure to calculate any dependencies and determine the potential impact or the blast radius of a change. It works by querying your AWS infrastructure via their API in real-time using a read-only role.
Using the blast radius, its real-time dependency map and a LLM it can provide a list of human readable risks that can be reviewed prior to running Terraform apply. These risks can either be commented back as part of your CI / CD pipeline or viewed in the app.
Overmind supports >100 different AWS resources and >300 possible relationships, including those that span AWS Accounts and services, whether they be created by Terraform, manual intervention, or any other process. It currently has two plans (free & pay-as-you-go.) The free plan offers unlimited users 150 free changes per month with any extra changes $0.45 each after.
Get started by creating a free account.
Next you will need to create a change. This can be done by:
Let's look at an example using the Github action. Based on the planned changes and the relationships that we have discovered, Overmind discovers the blast radius of what might be affected by this change including resources not in terraform.
The Github action can be set up as part of you CI/CD pipeline to notify you of the affected items/ apps of your change automatically. However any CI /CD tool can be supported using the CLI.
You will then receive a set of human-readable risks that you are able to see if there is anything unexpected or of concern. If you notice that the change might affect more than you thought, you can modify either your code, or the way you plan to roll out and monitor the change to account for it. These risks can either be commented back as part of your CI / CD pipeline or viewed in the app.
By understanding which services would potentially by affected by the planned change, you'll have a full picture and will be able to fix any issues before it effects production.
When you're ready to start the change, Overmind will take a snapshot before and after to validate that the change went through as intended. Allowing you to view the health status of resources and config diffs in detail within the app.
Overmind also lets you discover dependencies in real-time using the “Explore” functionality, allowing them to plan the rollout of changes more easily and avoid risky changes to core components. Understand an application starting with just a AWS resource name or public data point and expanding outwards without significant knowledge of AWS or the application itself.
If you want to just try this out on public data (HTTP, DNS etc), you can use the new Playground without needing to sign up.
Before jumping into a comparison of the two it is worth providing some context to the application we are going to be making changes to. It is Kubernetes cluster that manages some API gateways using AWS services such as EKS, EFS & Route53.
Let’s take a look at what this change would look like within Rover. By taking that same Terraform plan output and running it through Rover we get the below.
Within Overmind, by selecting the resource that we will be changing, we get the following blast radius. We are able to see the items related to this resource that we are changing, meaning that we are informed on the impact of this change.
To compare the two, Rover does a great job at visually showing you the output of your Terraform plan. However it can be quite complex to understand with the various dependencies. As Overmind only shows what you will be impacted it is easier to navigate therefore you’re more likely to identify any issues ahead of time.
Both tools are freely available: